我有以下 Spring 安全配置:
<security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
<security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrentSessionFilter"/>
<security:form-login
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-url="/api/loginFailed"
/>
<security:intercept-url pattern="/api/**"/>
<security:anonymous enabled="false"/>
<security:logout logout-url="/logout" delete-cookies="JSESSIONID,sessionId"
success-handler-ref="logoutSuccessHandler"
/>
<security:csrf disabled="true"/>
<security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>
我输入了错误的密码,执行后无法继续
@RequestMapping(value = "/loginFailed", method = RequestMethod.GET)
@ResponseStatus(HttpStatus.UNAUTHORIZED)
public String loginError(HttpServletRequest httpServletRequest) {
return getErrorMessage(httpServletRequest, SPRING_SECURITY_LAST_EXCEPTION_KEY);
}
我做错了什么?
最佳答案
问题及解决方案如下:
基于您的配置:
<security:intercept-url pattern="/api/**"/>
所有路径都在 api 路径下受到保护。这还包括 authenticationSuccessHandler 配置,根据您当前的配置:。
<security:form-login
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-url="/api/loginFailed"
/>
Spring Security 实际上在登录尝试失败时重定向回 /api/loginFailed,但由于这也是 protected 资源,身份验证入口点将发生另一个重定向。您可以使用网络 Activity 选项卡上的浏览器开发人员工具来验证这一点。
您需要做的是确保authentication-failure-url位于不安全端点上。例如,/loginFailed。
所以这个配置可以工作:
<security:intercept-url pattern="/api/**"/>
<security:form-login
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-url="/loginFailed"
/>
关于java - spring security 忽略authentication-failure-url,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36286974/